PRIVACY POLICY of the authentication solution of Yettel. Bulgaria EAD
1. INTRODUCTION
The security and proper use of personal data are of the utmost importance to both our users and Yettel.. It is therefore important for our users to understand why and how we process their personal information in connection with the use of the Solution.
This Privacy Policy does not regulate rights and obligations, but aims to explain to the users of the Solution what personal data we process, why and how we do it, including when we need to disclose personal data to third parties. It also provides information about the rights that users have in connection with the processing of personal data by Yettel..
This Privacy Policy applies solely to the data we process for and in connection with the use of the Solution. It does not apply to other cases where Yettel. processes personal data subject to the relevant policies published on https://www.yettel.bg/en/privacy.
For the sake of clarity and convenience of the users of the Solution, there are examples in some places of this Privacy Policy that illustrate why and/or how Yettel. processes personal data. These examples are not exhaustive.
2. DEFINITIONS
2.1 Solution
This means the identification solution of Yettel. Bulgaria EAD, available at https://id.yettel.bg allowing easy, secure and hassle-free authentication (login) into Yettel.’s digital services or its Partners.
2.2 Yettel.
Yettel. Bulgaria EAD, Uniform ID Code (UIC) 130460283, having its seat and head office in the city of Sofia, postal code 1766, Mladost 4, Business Park Sofia, Building 6. In this Privacy Policy, the use of the pronouns “We”, “Us” or “Ours” shall also mean Yettel. Bulgaria EAD.
2.3 User
A person who has an account created in the Solution.
2.4 Personal data
In practice, this is any information that identifies a specific individual or that relates to an individual who can be identified directly or indirectly.
The types of personal data that Yettel. processes under this Privacy Policy are listed below.
2.5 Digital service
It means a website, an application or another service of the information society the access and use of which requires creation of an account and, respectively, authentication.
Examples:
Digital services of Yettel. are:
•Mobile application Yettel.;
•Web portal my.yettel.bg;
•Business portal business.yettel.bg.
2.6 Partner
A third party who has agreed to use the Solution as a mechanism for authentication in its digital services.
3. WHAT DATA WE PROCESS
3.1 Account data in the Solution
This is the information needed to create an account in the Solution in order to use it.
See the data:
•Mobile number (MSISDN);
•(Added on 11.03.2020) Email address;
•One time password for access (one-time-pin);
•User password (hashed);
•User ID in the Solution.
3.2 Data of a user of electronic communication services
In case a user has registered an account with MSISDN for which Yettel. provides electronic communications services, Yettel. will also process specific information about the user as a user of electronic communications services. The processing of this data is intended to ensure a high level of information security when accessing information and/or the functionalities of Yettel. digital services that use the Solution for the purposes of user authentication.
Example:
•Personal identification number (ЕГН), if MSISDN belongs to an individual;
•Client number;
•Status.
3.3 Account settings
These are user account settings that reflect the selection of certain parameters or functionalities, or that are applied by default if the user has not made a choice.
Examples:
Such data are the settings for the “remember me” functionality, password change, etc.
3.4 Data about the use of the Solution
This is automatically generated data that contains information about how users use the Solution.
Examples:
Such data are:
•Date and time of failed and successful login attempts for a user;
•A digital service where a user has logged in or failed to log in;
•A browser through which a user has logged in or failed to log in;
4. HOW COLLECT PERSONAL DATA
When a Solution account is created and used Yettel. collects user data in various ways. In most cases we receive information directly from the users. Certain data are automatically generated when users use the Solution (e.g. when they authenticate to a digital service), and sometimes the data is provided to Yettel. by third parties.
Read more:
We collect data directly from users:
•When an account is created and a user logs in to the Solution;
•When the user password is changed;
•When communicating with users regarding the Solution.
The following data is automatically generated:
•The data of default settings if users have not set/changed them;
•Data about the user of electronic communications services;
•Data about the use of the Solution.
We receive data from third parties:
•When users authenticate through the Solution or when communicate with Partners in connection with the Solution, we receive data from them;
•When competent authorities exercise their powers, we receive data from them.
5. HOW AND WHY WE PROCESS PERSONAL DATA
Yettel. uses personal data primarily to enable users to access and use the Application. We call this type of data processing “processing for contractual purposes”.
In addition, Yettel. also processes data for purposes defined as "legitimate interest". Such cases concern mainly data processing that is done to understand how users use the Solution which enables us to troubleshoot or resolve issues of the Solution and to optimize and improve its design and functionality.
Of course, there are also cases where we are obliged to process personal data of users in order to fulfill obligations arising from a regulatory act.
We may request the explicit consent of Solution users for certain operations to process their personal data.
It is important to note that Yettel. does not carry out automated decision-making activities based on consumer profiling, which has legal consequences for users or significantly affects them in a similar way.
5.1 Processing for contractual purposes
Most of the data processing operations are intended to give users the opportunity to register with the Solution and to make full use of it, using it for authentication in the digital services of Yettel. and its partners.
(Supplemented on 11.03.2020) For example, when you have a Solution account and want to take advantage of the Single-Sign-On functionality that allows you to access other digital services securely and easily without having to authenticate each time, you need to provide us with basic information and we need to verify it (e.g. by sending a one-time SMS or email password) and create an identifier to share with the digital service you want to sign in to through the Solution. These steps require us to process data that is relevant to you.
5.2 Legitimate interest
In order to provide and improve the reliability, functionality, design and information security of the Solution, we process personal data of users based on our legitimate interest.
We process data to improve customer service.
It is important for us to provide quick, convenient and effective assistance to users in case they find a problem with the Solution. Ensuring the quality of customer service is critical to improving Yettel. processes and meeting customer expectations and needs.
We process data to maintain information and network security.
At Yettel., we are committed to ensuring the confidentiality, integrity and accessibility of our products and services, as well as the information concerning the customers. For this reason, we take measures aimed at preventing or detecting attacks and/or unauthorized access to the Solution and the digital services of Yettel. and its partners. We also store entries (logs) with highly restricted access that are used only when we need to investigate potential security incidents.
We process data to improve the Solution and to increase customer satisfaction.
To understand how users access and use the Solution and to identify how we can improve its design and/or functionality, we use and analyze data pertaining to users. This also includes taking preventive measures to ensure the reliability of the Solution. In these cases, the data is processed in aggregated form, which does not allow the identification of a user.
We process personal data when that is necessary in order to settle legal disputes.
Sometimes, in order to exercise its rights or legitimate interests, Yettel. may need to process personal data of certain users of the Solution in order to make an out-of-court claim or bring an action against:
•third parties from whom Yettel. received personal data about the respective users in accordance with this Privacy Policy; or
•third parties to whom Yettel. has disclosed personal data about the respective users in accordance with this Privacy Policy.
Accordingly, it is possible for the above persons, as well as the users themselves, to make an out-of-court claim or to bring an action against Yettel.. In such cases, it may be necessary for Yettel. to process the personal data of certain users in order to be able to organize and enforce the defense under the respective claim or case (thus Yettel. strives to defend itself against unlawful encroachment on its property and/or reputation).
The type and volume of the processed personal data depend on the nature of the out-of-court claims or the legal actions.
Examples:
•A user claims that they did not enter a digital service through the Solution. This requires Yettel. to conduct an internal investigation of the case in order to establish the validity of the user’s claim and to provide the necessary evidence;
•A competent authority to which Yettel. has refused to provide consumer information imposes a penalty on Yettel. and Yettel. challenges the imposed penalty, which requires the processing of personal data for the relevant consumer and the submission of evidence to the relevant court.
5.3 Fulfilment of obligations arising from a regulatory act
In certain cases, the applicable national and European legislation requires Yettel. to process personal data about consumers for certain purposes, in a specific way and / or for a specified period. The main cases where Yettel. is required to personal data in order to fulfill its regulatory obligations are described below.
We process personal data when, under applicable law, we are required to provide information to competent authorities.
The personal data processed by Yettel. are to be made available to the competent authorities subject to the conditions stipulated by law and in accordance with the envisaged procedure.
For example, according to the Criminal Procedure Code of (CPC), Yettel. is required, upon request from a court, a prosecutor or an investigative body, to provide documents or data that Yettel. holds and that are relevant to the case in question. The requested papers or data may contain personal data of users of the Solution.
We process personal data of users when, under applicable law, we are required to assist competent state and/or municipal authorities when they perform checks.
The commercial activity carried out by Yettel. is subject to control by various state and municipal authorities – e.g. Communications Regulation Commission (CRC), Consumer Protection Commission (CPC), Commission for Personal Data Protection (CPDP) and others. In the course of exercising this control these authorities have the power to make inspections and to request from Yettel. the documents and information that it holds. The requested papers and data may contain personal data of users of the Solution.
For example, when a user has submitted an alert or complaint the CRC, CPC and CPDP have the power to request from Yettel. documents and information relating to the case that may include data of a user of the Solution.
We process personal data to fulfill obligations arising from the accounting and the tax legislation.
The tax and accounting legislation in the Republic of Bulgaria requires Yettel. to compile certain accounting and business information, including to keep such information for a specific period, as well as any other data and documents relevant for taxation. In fulfillment of this obligation, the relevant information and documents containing personal data of the users are kept by Yettel. for the terms stipulated by the respective laws. These terms are very long (for example, the documents for tax and social security control are to be kept for eleven years).
6. CATEGORIES OF PERSONS TO WHOM WE DISCLOSE PERSONAL DATA
6.1 Personal data processors
Personal data processors are persons who process personal data on behalf of and as ordered by Yettel. on the basis of a written agreement. They may not process the provided personal data for purposes other than the performance of the tasks assigned to them by Yettel.. The processors are obliged to follow all Yettel. instructions.
Read more:
Yettel. takes the required steps to ensure that the processors involved comply strictly with the personal data protection laws and with the instructions of Yettel. and that they have undertaken appropriate technical and organizational measures to protect personal data.
An example of personal data processors is the providers of deployment and/or maintenance of information systems who sometimes need to access the personal data processed in the relevant systems for the purposes of accessing and operating the Solution.
6.2 Partners
To enable the users to use the Solution for authentication in third party digital services, Yettel. concludes contracts with them (partners). The respective Partners need therefore to receive personal data of the users for the authentication process to take place.
6.3 Competent authorities
The provision of data to competent authorities is described above.
6.4 Third parties in connection with the transformation (e.g. merger or takeover) or transfer of an enterprise
In the case of transformation of Yettel., as well as in case of transfer of assets in accordance with the applicable legislation, it is possible that the personal data of the users will be provided to a third party – successor.
7. HOW LONG WE KEEP PERSONAL DATA
Yettel. keeps the personal data of users for as long as necessary to achieve the goals set out in this Privacy Policy or to comply with the legal requirements.
Users may request at any time to delete their accounts in the Solution in which case all personal data for which Yettel. has no other reason to further keep them will be deleted.
Read more:
After the time limits for personal data processing have expired, the data are anonymized or deleted/destroyed, unless: br>
•they are needed for pending court, arbitration, administrative or enforcement proceedings, or in case of a complaint submitted by the respective user, which is to be considered by Yettel.; or
•the respective user has exercised their right to request restriction of the processing of the personal data concerning them.
Yettel. endeavors to ensure that the processed personal data of users are updated (and corrected if necessary) and that data which is unnecessary to achieve the goals described above are not stored.
8. HOW WE PROTECT PERSONAL DATA
Building and maintaining the trust between us and users is a key strategic priority for Yettel.. Therefore, protecting our systems and personal data is paramount for both our users and Yettel.. Our main goal is to make users feel safe when using Yettel. products and services. Yettel. takes the necessary technical and organizational measures to keep the personal data of users safe in accordance with the requirements of the current legislation and good practices.
Read more:
After the time limits for personal data processing have expired, the data are anonymized or deleted/destroyed, unless:
•they are needed for pending court, arbitration, administrative or enforcement proceedings, or in case of a complaint submitted by the respective user, which is to be considered by Yettel.; or
•the respective user has exercised their right to request restriction of the processing of the personal data concerning them.
Yettel. endeavors to ensure that the processed personal data of users are updated (and corrected if necessary) and that data which is unnecessary to achieve the goals described above are not stored.
In order to protect the personal data of users, Yettel. utilizes state-of-the-art technologies combined with uncompromising management of security controls. Our framework is based on some of the most popular security standards (ISO27001:2013 and others).
To ensure maximum data protection, Yettel. has adopted a number of policies that regulate data processing. A variety of mechanisms (encryption, anonymization, pseudonymisation, etc.) are applied to both data in transit and data at rest.
Yettel. has a designated data protection officer and specialized departments responsible for information security and fraud protection. They support the processes of protecting and securing personal data, and monitor their compliance.
9. RIGHTS OF DATA SUBJECTS
9.1. General information on the rights of individuals
Yettel. takes action at the request of an individual to exercise a right under this section only if Yettel. is able to identify the person concerned.
Read more:
Only individuals who can be identified by Yettel. may exercise their rights under this section.
If the purposes for which Yettel. processes personal data do not require or no longer require the identification of an individual, Yettel. has no obligation to keep, obtain or process additional information in order to identify the person for the sole purpose of acting upon a request of that person.
Yettel. notifies individuals of the actions taken within one month of receiving a request under this section and in specific cases this period may be extended by another two months.
Read more:
Yettel. provides information to individuals on the actions taken in relation to their requests for the exercise of rights under this section without undue delay and in any event within one month of receipt of the request. If necessary, this period may be extended by another two months, taking into account the complexity and number of requests. Yettel. informs the person concerned of any such extension within one month of receipt of the request, indicating also the reasons for any delay.
In case a request is refused, Yettel. will notify the individuals concerned of their rights.
Read more:
If Yettel. does not take action on the request of an individual, Yettel. will notify the individual without delay and within one month at the latest of receipt of the request regarding the reasons for not taking action, as well as regarding the possibility of filing a complaint to the Commission for Personal Data Protection.
In specific cases, Yettel. may request additional information to verify the identity of individuals.
Read more:
In case Yettel. has reasonable concerns about the identity of the individual that has filed a request under this section, Yettel. may request the provision of additional information necessary to confirm the identity of the individual.
The actions taken by Yettel. in connection with and due to requests for exercising rights will be completely free of charge to the individuals unless their claims are clearly ungrounded or excessive.
Read more:
The actions that Yettel. takes for and in the exercise of user rights are completely free of charge. Where a person’s request is clearly unfounded or excessive (e.g. because of its repetitive nature), Yettel. may, at its sole discretion: (a) refuse to comply with the request; or (b) request payment of a reasonable fee, determined on the basis of the administrative costs necessary to provide the requested information or to take the requested action.
9.2 Users have the right to access the personal data concerning them.
Users have the right to receive information from Yettel. whether personal data relating to them are processed. If so, users have the right to access the relevant data.
9.3 Users have the right to request correction of the personal data relating to them when such data are inaccurate or out of date.
9.4 In certain cases, users have the right to request deletion of the personal data relating to them.
Read more:
Users have the right to request Yettel. to delete personal data relating to them in the following cases:
•the personal data are no longer needed for the purposes for which they were collected or processed;
•the user has withdrawn their consent on the basis of which the processing of personal data takes place and there is no other legal basis for the processing of the personal data;
•the user has objected to the processing of personal data which is based on Yettel.’s legitimate interest unless there are other legitimate grounds for processing which take precedence over the interests, rights and freedoms of the user, or the processing of data is necessary for the establishment, exercise or the defense of legal claims;
•the user has objected to the processing of personal data for the purposes of direct marketing and there are no other legitimate grounds for the processing of the data;
•the personal data relating to the respective user were processed unlawfully;
•the personal data must be deleted by Yettel. in order to comply with a legal obligation arising from the law of the Republic of Bulgaria or the law of the European Union.
9.5 In certain cases users have the right to request a restriction on the processing of personal data relating to them.
Read more:
Users may request Yettel. to restrict the processing of personal data relating to them in the following cases:
•the accuracy of personal data is challenged by the user for a period allowing Yettel. to verify the accuracy of the personal data;
•the processing is unlawful, but the user does not want the personal data to be deleted, but instead requires restriction on their use;
•Yettel. does not need the personal data for processing purposes any longer but the user requires them in order to establish, exercise or defend legal claims;
•the user has objected to the processing of personal data based on Yettel.’s legitimate interest pending verification whether Yettel.’s legitimate grounds have priority over Yettel.’s interests.
9.6 In certain cases, users are entitled to portability of personal data relating to them.
Read more:
Users have the right to receive from Yettel. the personal data they provided in a structured, widely used and machine-readable format and to transfer those data to another administrator without hindrance by Yettel., insofar as:
•Yettel. processes those data for the purpose of entering into or executing a contract with the user or on the basis of the user’s consent; and
•the processing of the relevant data is carried out by automated means.
Users have the right to ask Yettel. to transfer their personal data directly to another administrator when technically feasible.
9.7 In certain cases, users have the right to object to the processing of personal data relating to them.
Read more:
Users have the right, at any time and on grounds relating to their particular situation, to object to the processing of personal data relating to them when Yettel. processes their data in order to protect their legitimate interests.
9.8 Users have the right to file a complaint to a data protection supervising authority.
Read more:
Users have the right to file complaints or alerts to the Commission for Personal Data Protection (CPDP) in case they believe that Yettel. violates personal data protection legislation. Instructions for filing complaints are published on the CPDP website: https://www.cpdp.bg
Users may also file complaints with other supervisory authorities on the territory of the European Union as provided for in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
10. INFORMATION FOR CONTACT WITH TELENOR
Yettel. Bulgaria EAD, Uniform ID Code (UIC) 130460283, having its seat and head office in the city of Sofia, postal code 1766, Mladost 4, Business Park Sofia, Building 6, is the administrator of personal data that are processed in this Privacy Policy.
For questions and inquiries regarding the processing of personal data, please contact our Customer Service Center. Contact information for the Customer Service Center is published on the following address: https://www.yettel.bg/bg/private/online-request
Yettel. Customer Service Center can help you get in contact with our data protection officer
11. UPDATING THE PRIVACY POLICY
This Privacy Policy was updated on 11.03.2020.
This Privacy Policy may be amended or supplemented due to amendments to the applicable law, at the initiative of Yettel., consumers or a competent authority (e.g. Personal Data Protection Commission).
Yettel. strives to inform the users of the Solution about the amendment or supplementation of this Privacy Policy within 7 (seven) days before its entry into force by sending a message to the number used for registration in the Solution.
It is recommended that users periodically check the most recent version of this Privacy Policy published on www.yettel.bg/privacy.